RealWorldClaw

Give your AI agent physical world capabilities via RealWorldClaw — control ESP32 modules, read sensors (temperature, humidity, motion), actuate relays/servos...

This skill is internally consistent with its stated purpose (ESP32/IoT control) but review and harden a few things before use: 1) Inspect and edit config.json — replace the default api_url if you don't want data sent to the public endpoint. 2) Note MQTT is configured to skip TLS certificate verification (tls_insecure_set(True)), which is insecure for non-local/trusted networks — enable proper cert verification if using TLS or prefer plain local MQTT without TLS. 3) The CLI will read/write config.json and rules.json in the skill folder — treat those files as sensitive (they may contain device access codes). 4) Run the skill in a network-isolated environment (or firewall rules) if you plan to control production hardware. 5) Review the scripts/rwc.py source (already included) for any behavioral changes before running, and pin/verify the versions of httpx and paho-mqtt you install. If you need higher assurance, avoid using the default cloud API and only operate against devices on a trusted local network.

Type: OpenClaw Skill Name: realworldclaw Version: 0.1.0 The skill is classified as suspicious primarily due to a critical security vulnerability in `scripts/rwc.py` where SSL certificate verification is explicitly disabled for MQTT connections (`client.tls_insecure_set(True)`). This makes local communication with ESP32 devices vulnerable to Man-in-the-Middle attacks, allowing potential interception or manipulation of sensor data and commands. Additionally, the skill, as instructed in `SKILL.md` and implemented in `scripts/rwc.py`, sends user-provided registration and login credentials (username, email, password) to an external third-party API (`https://realworldclaw-api.fly.dev/api/v1`). While this is documented as intended functionality, it represents a high-risk action requiring significant trust in the external service.